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Abstract 

Pell's equation is — dy^ = 1 where d is a square-hee integer and we seek positive integer 
solutions 1,1/ > 0. Let (a;o,yo) be the smallest solution (i.e. having smallest A = xq + yii\fd). 
Lagrange showed that every solution can easily be constructed from A so given d it suffices 
to compute A. It is known that A can be exponentially large in d so just to write down 
A we need exponential time in the input size log d. Hence we introduce the regulator R — 
\nA and ask for the value of i? to n decimal places. The best known classical algorithm has 
sub-exponential running time 0(exp yTogd, poly(n)). Hallgren's quantum algorithm gives the 
result in polynomial time 0(poly(log d), poly(n)) with probability l/poly(log d). The idea of 
the algorithm falls into two parts: using the formalism of algebraic number theory we convert 
the problem of solving Pell's equation into the problem of determining R as the period of 
a function on the real numbers. Then we generalise the quantum Fourier transform period 
finding algorithm to work in this situation of an irrational period on the (not finitely generated) 
abelian group of real numbers. 

These notes are intended to be accessible to a reader having no prior acquaintance with alge- 
braic number theory; we give a self contained account of all the necessary concepts and we give 
elementary proofs of all the results needed. Then we go on to describe Hallgren's generalisation 
of the quantum period finding algorithm, which provides the efficient computational solution of 
Pell's equation in the above sense. 
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1 The computational task of solving Pell's equation 

Let N, Z, Q and R denote respectively the sets of natural numbers, integers, rational numbers and 
real numbers. Pell's equation is 

-dy^^l (1) 

where d e N is a square-free natural number (i.e. not divisible by for any prime p). We wish to 
find (positive) integer solutions {x, y) e Z x Z. 

Pell's equation has a rich and colourful history spanning almost 2000 years (cf. E] and further 
references therein). Diophantus (c. 250AD) gave solutions for d = 26 and 30 and we read that the 
English mathematician John Pell (1610-1685) actually had nothing to do with the equation! The 
appellation "Pell's equation" is based on a confusion originating with Euler who mis-attributed a 
solution to Pell which was actually provided by Lord Brouckncr in response to a challenge of Format. 

It is known that Pell's equation has infinitely many solutions for any square-free d. An elementary 
proof of this fact can be found in [S] chapter 17 §5. 

Since Vd is irrational for any square-free integer d, we have 

a + bVd = X + yVd for a,b, x,y £ (or G Q) iff a = x and b = y. (2) 

Hence we can uniquely code any solution {x,y) as x + y\fd e K. Correspondingly we will say that 
(T € M is a solution of Pell's equation if a has the form a = s -\- t^fd with s,t € Z and — dt^ = 1. 

If ^ = X -|- yy/d for x, j/ e Q we introduce the conjugation operation 

^ — X + yVd = X — yVd 
which is well defined by eq. ||2J). It has the following immediate properties: 



^ = e i + V = ^ + V CV = ^V- (3) 

Pell's equation can be written 

a = l (4) 
so any solution ^ = a; -|- yVd has the property that — x — yVd — |. 

Proposition 1 If a = a + b^/d and ^ = x + yVd are both solutions of Pell's equation then so 
are (i) a and (ii) = {a + bVd){x + y^/d) (where we multiply out the RHS and write it as 
s + tVd = {ax + byd) + {ay + bx)Vd). 
In particular a" — {a + b^/d)'^ is a solution for all n G Z. 

Proof (i) follows immediately from eq. Q and the definition of conjugation. For (ii) we note that 
aa = = 1 so {a£^){aS,) — aa£,£, = 1 i.e. is a solution. Similarly a" = c?' so a"a"- = (aS)" = 1. 
■ 

Example For d = 5 we have the solution 9 + 4\/5 (i.e. a; = 9 and y = 4). Now we easily check that 
(9 -t- 4%/5)^ = 2889 + 1292\/5 so x = 2889 and y = 1292 is also a solution. In fact every solution for 
d — 5 can be generated as a power of 9 + 4\/5 (cf. theorem ^ below). 

Theorem 1 (Lagrange 1768) Let £,i — Xi + yiVd be the least positive solution of Pell's equation 
i.e. Xi,yi > and is minimum amongst such solutions. Then every positive solution {s,t) is 
obtained as a power o/^i; 

s + t\Q = {xi + yiVd)'" for some n € N. 
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Proof From proposition ^ we have that ^" is a positive solution for any n E N. 

Conversely suppose that s + t^/d is a positive solution not of the form ^" for any n. Then there 

exists k £ N with 

^'l <s + tVd< Ci^+i 

so 

l<{s + tVd){xi-yiVd)'' <{xi+yiVd). (5) 

Now write 

a = a + bVd = {s + t\/d){xi - yiVd)^ . 
By proposition ^wc have aoi = 1 so (a, b) is a solution of Pell's equation and eq. Q says 

1 < a + b^/d < xi + yi\/d. 

To complete the proof we show that a > and 5 > contradicting the fact that ^ was the least 
positive solution. Since a — bVd= -^-y= we have 

< a — by/d< 1. 
From a + b\fd > 1 and a — b\/d > we get a > 5- Hence a > 1. 

From a — b^fd < 1 we get b > > 0. Hence both a and b are > and we have our contradiction. 
Thus every positive solution must be a power of ^1. ■ 

The smallest positive solution ^(d) = xi + yiVd is called the fundamental solution. Solving 
Pell's equation is equivalent to giving the fundamental solution. As a computational task the input is 
the number d with input size logd. However the magnitude of S_{d) can be as large as S^{d) ~ O(e^) 
so even to write down ^(d) we potentially need 0(-\/d) digits which is exponentially large in the 
input size. 

Examples of fundamental solutions are given in the following table. 



d xi yi 

2 3 1 

3 2 1 
5 9 4 

13 649 180 

14 15 4 

15 4 1 
29 9801 1820 
61 1766319049 226153980 
109 158070671986249 15140424455100 
2009 141012534067201 3146065416960 
4009 3799 60 

6009 131634010632725315892594469510599473884013975 1698114661157803451688949237883146576681644 

6013 40929908599 527831340 

10209 130969496245430263159443178775 1296219513663218157975941956 

16383 128 1 



(The interested reader can find more examples at 

http://www.bioinfo.rpi.edu/~zukerm/cgi-bin/dq.html 

and note also the remark after theorem |31 below, concerning the equation x^ — dy^ = — 1). To 
get around the exponentially large size of the integers xi and yi we introduce the regulator (an 
irrational number): 

R — \n{xi + yiVd). 
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Then \R\ (the least integer > R) has 0{logd) digits. 
Our fundamental computational task becomes: 

Given d (a square-free integer) find the regulator R to n digits of accuracy in poly(log(i, n) time. 

The best known classical algorithm has rvmning time 0(e^/^°s^poly(n)), which is exponential in 
the input size. 

Actually we can avoid having to consider the accuracy parameter n using the following result, stating 
that it suffices to compute the integer part of R. 

Proposition 2 // we are given the closest integer above or below the regulator R then there exists 
a classical algorithm that will compute R to n digits of accuracy with running time poly(n,logd). 

We will give a proof later (in section |2| after the proof of theorem (S)). 

1.1 Approach for the efficient quantum algorithm 

Using results from algebraic number theory we will set up a function ft, : R — s- A (where the nature of 
the set A will be given later, but for now, think of A as being R too) with the following properties. 

(a) h is computable in polynomial time. More precisely if x is a real number which is an integer 
multiple of 10^" then the value of h{x) can be computed accurate to 10^" in poly(log(i, logx, n) 
time. 

(b) h is periodic on M with (irrational) period R, the regulator, and h is one-to-one within each 
period. 

We then adapt the standard quantum Fourier transform period finding algorithm (that is used 
in Shor's algorithm and other hidden subgroup problems) to work in the case of the (not finitely 
generated) abelian group R and irrational period R. In fact we will just discretise h by taking 
X — k/N for suitably large chosen values of N, and round off values of h{x) too, to get a discrete 
domain and range. Then we show that the resulting function (which is not quite periodic because 
of rounding effects in both the domain and range) can give the desired approximations to R to 
increasing accuracy (as N is increased). 

Thus the ingredients of Hallgren's algorithm fall into two essentially disjoint parts. The first part 
constructs the function h from the classical mathematics of algebraic number theory and shows that 
it is efficiently computable. This part has no quantum ingredients. The second part (having the 
whole quantum content) shows how to generalise the standard quantum period finding algorithm to 
work on real numbers, to determine an irrational period to any desired accuracy. 

1.2 Note to the reader 

One of the most interesting features of Hallgren's algorithm is that it expands the applicability of 
quantum computation into new areas of mathematics viz. fundamental computational problems 
of algebraic number theory, especially the study of ideals of the algebraic integers in quadratic 
number fields (cf . later for an explanation of all these terms) . In particular we get efficient quantum 
algorithms for the solution for Poll's equation, the principal ideal problem and the determination of 
the class group (and none of these have known classical efficient solutions). 

In these notes we assume no prior knowledge of algebraic number theory. After much lucubration 
we have developed a self contained account of the necessary parts of this theory with all proper- 
ties and theorems being proved by elementary means. Nevertheless for readers unacquainted with 
algebraic number theory it may be advisable to skip many of the proofs on initial reading, while 
focussing on the statements, concepts and terminology. 

Our account of algebraic number theory is based primarily on [2j with further reference to , 
[5] and [7] . The description of the generalised quantum period finding algorithm and its application 
to Pell's equation is just an expanded version of Hallgren's account in Jj. 
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2 Algebraic integers in a quadratic number field 



Let d be a square-free positive integer. The quadratic number field Q['\/d] is defined to be the 
set 

Q[Vd] = {n + r2\/d : ri, ra G Q}. 

We think of Q[\/rf] as an extension of the usual rational numbers Q. (Indeed the irrational Vd 
amongst rationals behaves rather like the complex i amongst reals). It is clearly closed under 
the usual arithmetic operations of addition, multiplication and formation of reciprocals e.g. if 
^ = n + r2\/d 7^ then | = ('"i " r2^)l{r\ - r\d) which is clearly in Q[Vd] (and the 

denominator is never zero as \fd is irrational). Also in addition to eq. (O we have £,/rj = ^/r}. 

^ € Q['\/d] is an algebraic integer if ^ is the root of a polynomial with integer coefficients and 
with leading coefficient 1 i.e. for some n G N we have ^" + On-i^""^ + . . . + ai^ + ao = where 
ao, ai, . . . , a„_i e Z. Let O denote the set of all algebraic integers in IS a 

generalisation of the usual notion of integers Z C Q in the following sense. 

Proposition 3 In Q the algebraic integers are just the usual integers Z. 

Proof Suppose that ^ (with p, g e N having no common divisors except 1) satisfies a polynomial 
equation as above: 

(^)" + «„-i(^)"-' + ... + ao=0. 
Then multiplying through by g"~^ shows that ^ is an integer i.e. q must divide p so g = ±1. ■ 

Proposition 4 If ai and a2 are algebraic integers mQ[\/rf] then ai+a2 and aia2 are also algebraic 
integers. 

Proof Clearly ai + a2 and aia2 are in Q[Vd]. Since ai and 02 are algebraic integers there are 
polynomial equations 

a" + fcn-iai^""" + . . . + fco = 
a^ + ;™_ia™-^ + ... + /o = 
with ki,li g Z. 

Let V be the set of all Z-linear combinations of /3y = a\a2 for < « < rt and < j < m i.e. 
V = {Y^kijPij : kij G Z}. Clearly j G V implies that aij G V and 027 G V (as we can use the 
above polynomial equations to express a" and a™ in terms of lower powers). Hence (ai + 0:2)7 and 
(0102)7 are both in V. Thus by lemmanbelow, Oi + 02 and 01O2 are algebraic integers. ■ 

Lemma 1 Let 71, ... ,7; be any chosen complex numbers and let V — ki^i : ki € Z}. Suppose 
that a complex number a has the property that a"f G V for all 7 G . Then a is an algebraic integer. 

Proof o7i G F so a7i = J^'^ij^j some Oij G Z. Hence = ~ by standard 

linear algebra we have det(ay — Sija) = 0, giving the required polynomial equation with a as a root. 
■ 

Proposition 5 ^ = ?' + s^/d G Q[Vd] is an algebraic integer iff 2r and r^ — s^d are both integers. 

Proof Note that 2r = ^ + ^ and — s'^d = Hence if both of these are integers then the 
polynomial equation {x — — = shows that the root ^ is an algebraic integer. 
Conversely suppose that ^ is an algebraic integer. Then ^ G O too (satisfying the same polynomial 
equation). Hence by proposition 0] we have that 2r = ^ + ^ and — s'^d = are algebraic integers. 
But these are both pure rationals so by proposition |21 they must be integers. ■ 
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Example If m,n £ "Z then m + n^/d is always an algebraic integer for any d (as follows immediately 
from proposition [SJ but for some d values there are more algebraic integers e.g. if d = 5 then 
is an algebraic integer (since it is the root of a;^ — x + 1 = 0) . Below we will explicitly characterise 
O for any d. 

Remark on notations For any a,/3 G Q[\/d] we will write 

Z[a] = {m + na : m, n G Z} 

aZ = {na : n G Z} 

aZ + /3Z {na + m/J : m, n G Z} 

In particular we can write Z[a] = Z + aZ. 

We will also use the following properties: 

(a) aZ = — aZ. 

(b) If a, 6 G Z then aZ + |Z = aZ + for any b' having b' = b mod 2a. 

(c) If a, 6 G N then Euclid's algorithm states that the greatest common divisor gcd(a, b) of a and b 
can be expressed as gcd(a, b) — ka + lb for some k,l E Z. Hence aZ + &Z = gcd(a, 6)Z. (To see this 
let g — gcd(a, b). Then LHS C RHS as a = a'g and b = b'g for a', b' G Z, so anything in LHS is a 
multiple of g. Conversely RHS C LHS, as by Euclid's algorithm, every multiple of g has the form 
k'a + l'b with fc',r G Z). 



Theorem 2 In Q[vd] the set of algebraic integers has the form 

O = {m + nuj : m, n G Z} 

where 

if d = 1 mod 4 we can take lu = — 

if d = 2 or 3 mod 4 we can iafce a; = Vd- 

(Since d is square free we never have d = mod 4). 

Proof Let ^ = r + sVd G Q[Vd]. Suppose ^ G C Then 2r G Z and - s^^; g z so As'^d = 
(2r)^ — 4(r^ — s^d) G Z. Hence any prime p > 2 in the denominator of s must have dividing d, 
which is impossible as d is square-free. Hence 2s G Z. Set 2r = m and 2s = n. Then r^ — s'^d G Z 
implies m? — dn^ = mod 4. Recall that any square is congruent to or 1 mod 4 (because 
{2kf = 4fc2 = and {2k + 1)^ = 4fc2 + 4fc + 1 = 1 mod 4). 

If c? = 2 or 3 mod 4: then m? — dn^ = + 2n^ or to^ + n^ mod 4. The only way that + 2n^ 
or + can be divisible by 4 is for both m and n to be even, and this is the case iff r and s are 
integers. Hence if d = 2 or 3 mod 4 then any algebraic integer has the form m + n^fd for m,n E'L. 
Conversely by proposition any expression of this form is an algebraic integer. 
If d = 1 mod 4: then — dn^ = m? — r? mod 4 and this can be divisible by 4 iff to and n are both 
even or both odd. Thus any algebraic integer has the form with to, rt G Z both even or both 

odd. Conversely any number ^ of this form has ^ + ^ G Z and = ™ ^ " G Z since d = 1 mod 4. 
Thus by proposition is an algebraic integer. Finally writing 

TO + n\fd m + 71 

= h n[ ) 

2 2^2^ 

with Hi±B £ 2i (as m, n have the same parity) we see that 

TO + nVd 1 , i/^l + Vdx 
{ ^ : m,n E Z are both even or odd} = {k + l[ ) : fc, i G Zj ■ 

Note that 1 and cu are linearly independent over Q i.e. ril + r2a; = for ri, r2 G Q iff ri = r2 =0. 
Thus we see that O behaves like a 2 dimensional "vector space" where 1 and uj are basis vectors 
but the coefficients for linear combinations must be integers. Such a structure is called a Z-module. 
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Although we are drawing an analogy with vector spaces it is interesting to note that actually, the 
notion of Z-module is the same as the notion of abelian group: clearly any Z-module as above is an 
abelian group under addition. Conversely if (G, +) is any abelian group then writing g + g + . . . + g 
(n times) as {n)g and the inverse —g of g as (— 1)(7, then G can be viewed naturally as a Z-module 
i.e. G is the same as the set of all Z-linear combinations of elements of G. 

A pair of elements a, /3 G O is called an integral basis of O if O = {ma + nf3 : m,n E Z}. 
Hence {l,w} is an integral basis but the choice is not unique (cf. proposition II 21 later) . 

Proposition 6 If {a.p} is any integral basis of O then 



D 



a P 
a 



is a positive integer independent of the choice of basis. D is called the discriminant o/Q[\/d]- In 
fact if d = \ mod 4 then D = d and if d = 2,3 mod 4 then D = Ad. 

Proof Let {a,/3} be an integral basis. Since {1,^^^} is an integral basis we have 

for some integers oi, 02, 6i, 62- Hence 

(1 Lu ) = { a (3 ) 

but {a,/3} is an integral basis too so must have integer entries. Since M and M""^ both 

have integer entries it follows that detM = ±1 (because detM and detM~^ = 1/detM are both 
integers). Thus 



a 13 


2 




2 

= |M|2 


1 u 


2 


1 CO 


a P 






1 lJ 




1 W 



Using the explicit values of uj in theorem |21 we get: 
if d = 1 mod 4 then D = d; 
if d EE 2, 3 mod 4 then D ^ Ad. M 

Hence an integer _D €E N is the discriminant of some Q[\/fi] iff Z? = 1 mod 4 or else D = mod 4 

D 

4 



and then = 2,3 mod 4. Using the notion of discriminant we can give a unified description of O 



(without having to separate two cases of d mod 4). Indeed it will often be easier to work with D 
rather than d. 

Proposition 7 Let D be the discriminant ofQ[^/d]. Then in all cases O = ^|^ -P+^'/p j ^ 

Proof This follows immediately from the above values of D and lo for the various cases of d mod 4. 



3 Algebraic integers and Pell's equation 

We now establish the connection between algebraic integers and Pell's equation. 

An algebraic integer ^ g O is called a unit if it has a multiplicative inverse that is also an 
algebraic integer. According to this definition, in the usual integers Z (or rationals Q), there are 
only two units viz. ±1. 



7 



Proposition 8 ^ = x+y^/d £ O is a unit iff 22; G Z and x^ — dy^ = ±1 (i.e. we have a strengthening 
of the conditions in proposition . 

Proof Recall that for any ^ e Q[Vd] 

1 _ _^ _ X - yVd 
i ~ x^-dy^- 

By proposition e O iff 2x e Z and — dy'^ E Z and for |- to be in O we also require ^^^^.^^ G Z 

and = e Z i.e. x^ - dy^ - ±1. ■ 

Hence (in contrast to Z) there are infinitely many units in O and they are intimately related to 
solutions of Pell's equation i.e. solutions of Pell's equation can be viewed as a natural generalisation 
of the fundamental integers ±1. 

Proposition 9 // a + b^/d > 1 is a unit then a > and b > 0. 

Proof Arguing by contradiction, suppose that ^ = a; — y^/d > 1 is a unit with x > 0,y > 0. Then 

P ^ 1 _ X + yVd ^ ^ 
^ x"^ — dy'^ 

But — dy"^ = ±1 so i > gives x'^ — dy"^ = 1 and then x + y^/d < 1. Now x^ — dy'^ ~ 1 implies 
X > 1 in contradiction to x + y^/d < 1. Similarly —x + yVd cannot be a unit if it is > 1. ■ 
A slight generalisation of theorem characterises all units: 

Theorem 3 Let eq be the smallest unit in O that is greater than 1. Then the set of all units is 
given by {iep; fc G Z}. 

Eq is called the fundamental unit. 

Proof The proof is very similar to that of theorem and we omit duplicating the details. ■ 

Remark If d = 2, 3 mod 4 then O = Z[\/d] so if the fundamental unit eo = m + n\fd has vr? — 
dv? = 1 then the units are exactly the solutions of Pell's equation. If — dn^ = —1 then 
Ci = el — m' + n'^/d with to' = 2to^ + 1 and n' — 2mn has to'^ — dn''^ = e^el = (—1)^ = 1 and it 
generates all solutions of Pell's equation via theorem 

If d = 1 mod 4 then O = Z[— !^-^] so some units may have rational coefficients ri + r2Vd with 
denominator 2 (e.g. d — 5 has as units). But given the fundamental unit we can generate all 

units in numerical order as powers and select the smallest unit e — x + yVd > 1 having — dy^ = 1 
and x, y G Z. Then via theorem ^ we can again generate all solutions of Pell's equation. ■ 

Hence solving Pell's equation is equivalent to finding the fundamental unit of the algebraic 
integers in Q[Vd]. We define the regulator i? of O by 

i? = In eo 

and our task is now to compute an n digit approximation to R in poly(log d, n) time. To define 
our basic function h with period R we will need the concept of an ideal of O in Q[\/d] and more 
specifically, the notion of reduced principal ideals. 

4 Ideals of the algebraic integers 

If A and B are subsets of O or Q[-\/d] we define the product A • _B to be the additive span of all 
products ab with a G A and b G B 

A - B ^ {aibi + . . . + a„6„ : oi, . . . , a„ G A, 6i, . . . , 6n G i?, n G N}. 
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Definition 1 I C O is an (integral) ideal of O if I ■ O ~ I and a,j3 £ I implies ma + n/3 e / for 

all m, n G Z. 

/ C Q[Vd] is a fractional ideal ofOifI-0 = I and a, (3 dz I implies ma + n(3 G / for all m, rt G Z. 

In other words an integral (respectively fractional) ideal of O is a subset of O (respectively Q[%/d]) 
that is closed under forming Z-linear combinations of its elements and also closed under multipli- 
cation by elements of O. In standard algebra the basic object of study (O here) is generally not 
embedded in an ambient structure (Q[\/d] here) and the term 'ideal' corresponds to 'integral ideal' 
above. 

Example In Q we have O — Z (the usual integers) and Im = "iZ — {0,±m, ±2m, . . .} C Z is 
an integral ideal for each m as can easily be verified. Similarly for O C Q[\/d] if a G O is any 
chosen element then — aO — {a£, : ^ G O} is always an integral ideal (or fractional ideal if more 
generally a G (Q[A/d]). It can be shown that for Z the /m's are the only integral ideals whereas for 
O C generally the /q's do not exhaust all possible ideals. 

4.1 Principal ideals and periodicity 

Definition 2 If ^ £ O (respectively 'Q[Vd]) then the set jO — {7^ : ^ G O} is always an integral 
(respectively fractional) ideal and ideals of this form are called principal ideals. 

Proposition 10 aO — f30 iS a — Pe where e is a unit in Q[^/d]. 

Proof If e is a unit then it is easy to see that eO — O. Hence if a = /9e then aO — /3eO = j30. 
Conversely suppose that aO — (30. Since 1 G O we have a G aO = (30 so there is 771 G O with 
a = (3r]i. Interchanging roles of a and (3 we get 772 G O with (3 = ri20i so a = firji — ari2rii i.e. 
?72?7i = 1 and ?yi,?72 are units. ■ 

Proposition 1101 with theorem provides the key to converting our basic task (of computing 
regulators) into a periodicity problem. By theorem El we know that e is a unit iff e = e§ where eo is 
the fundamental unit. Let V2 — {S,0 : ^ G Qi^s/rf]} be the set of all fractional principal ideals. Thus 
if we consider the ideal G VI as a function of x = In^ i.e. 

g{x) = e-O, 

then g will be a periodic function with our desired period i? = Ineo. However the direct use of this 
function would appear to be computationally problematic for various reasons. In order to compute 
g and see the periodicity we would need to be able to determine that e^O and O are the same 
ideal when x' = x + R and furthermore we would need to compute g (in quantum superposition) for 
values of a; '--^ 0(i?) or larger. In that case, even the integer part of (being O(eo) ~ 0(e^)) would 
have exponentially many digits. Thus the arithmetic operations needed to see that e^O = e^+^O 
would presumably require exponential time 0(poly(logd, loge^)) = 0{poly{d)). Furthermore the 
sets Q[Vd\ and O are dense in M and we have infinitely many distinct (integral) ideals. Thus the 
identification of the ideal aO would generally depend on a to full (infinite) precision (or alternatively 
we would need to formulate some effectively computable notion of two ideals / and /' being "almost 
the same".) 

To get around these difficulties we will utilise the notion of reduced principal ideals / (a concept 
which already appears in Gauss' Disquisitiones Arithmeticae of 1801) and a notion of distance S{I) 
of / from the unit ideal O (which was introduced by D. Shanks in 1972 |Sj). The set Vl-ccd of 
reduced principal ideals will be a finite set (although exponentially large in logd). Each reduced 
ideal will have a poly log d sized description so we avoid the above problems of infinite precision. 
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Furthermore we will have an (efficiently computable) operation p : Vlicd ^ 'PIrcd which allows us 
to cycle through the set of reduced ideals in order of increasing distance from O and we will have 
an effective means of jumping by exponentially large distances. With each successive application of 
these processes (starting on O) we will be able to efficiently compute the distance increment and 
the accumulated distance passes through R as the ideal cycle returns to O. Once these, and some 
further ingredients are in place we will be able to define an efficiently computable function on K 
with period R and apply the quantum period-finding algorithm (suitably generalised for irrational 
periods on M). 

5 Presentations of ideals 

Proposition 11 Any principal fractional ideal I has the form 

I = aTL + /3Z = \m\a + 7712/? : mi, G Z} 
where a,/5 G Q[Vd] are linearly independent over Q. 



Proof Since = 2 + wZ, for 70 we can take a = 7 and (3 = "fuj. Furthermore are linearly 
independent over Q so a, /9 must be too. ■ 

Remark Proposition ll II is actually true for any (not necessarily principal) fractional ideal of O but 
we will not need this more general fact. 

Thus intuitively any ideal is like a "2-dimensional vector space over Z" with the extra property 
of being closed under multiplication by O (which restricts the possible choices of a and (3) . Any set 
{a,P} in proposition ^] is called an integral basis of the fractional ideal. Changes of basis must 
respect the restriction that coefficients arc required to be integers. 

Proposition 12 Let {a, /?} be an integral basis of a fractional ideal I . Then {a', /3'} is another 
integral basis iff 

where M is a 2 x 2 matrix with integer entries and det A/ = ±1. 

Proof (=>) Since a' , (3' G /, eq. © must hold for some matrix M with integer entries. By moving 
M to LHS as we see that M^^ must also have integer entries so (just as in propositionll) we 
must have det M = ±1. 

(<;=) Conversely if eq. © holds with det M — ±1 then each of aZ + /3Z and a'Z + /3'Z is contained 
in the other since the two sets {a, (3} and {a' , (3'} are related as linear combinations with integer 
coefficients. ■ 

If {a, (3} is any integral basis of a fractional ideal / then we introduce the absolute value 



det 



a (3 
a ]3 



/Vd 



Proposition 13 is independent of the choice of integral basis. If I — jO is a principal integral 

ideal then M {I) is the integer I77I. 

Proof If {a', /?'} is any other integral ideal then (a' /?') = (a [3)M where det M = ±1. Hence 

detf ^ Jl^detMdetf 1 l^idetf ^ ^ V 
\ a' (3' J \ a [3 J \ a [3 J 

If / = 7C we can take a = 7 and [3 — ^{D + \/D)/2 and compute JV{I) directly giving I77I which 
is an integer for 7 G O by proposition |5l . ■ 
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Proposition 14 Any fractional ideal I has an integral basis {a, /?} with a > rational. Furthermore 
a is uniquely determined as the least positive rational in I. If I is an integral ideal then a is an 
integer (and so I contains no rationals that are not integers). 

Proof If a = ri + r2Vd,P — si + S2Vd with ri,r2, si, S2 S Q is any integral basis there exist 
integers m,n such that mr2 + ns2 = and gcd(m,n) = 1. Thus by Euclid's algorithm there exist 
integers a, b such that am — bn — gcd(m, n) = 1 i.e. the matrix 



M = 

has dot Af = 1. Then the integral basis 



m n 
a b 



has a' rational (which we may take to be > by a change of sign). Since {a',/3'} is linearly 
independent over Q, /3' cannot be rational. Any element ^ of / can be written ^ = ma' + n/3' so ^ 
is rational iff n = 0. Thus a' is the least positive rational in /. 

If I is an integral ideal then I CO = = {m + n °+/^ ■.m,ne Z} where VD is irrational. 

Hence the only rationals in / are integers so a' must be an integer. ■ 



Proposition 15 / C Q[v d] is a fractional ideal iff there is to G N such that ml is an integral ideal 
(hence justifying the terminology fractional ideaV). 

Proof (<;=) If ml is an integral ideal the clearly / = ^{ml) is a fractional ideal. 
(=>) Let {«,/?} be an integral basis of / and let k be any integer such that ka,k(3 G Z[Vd] i.e. all 
denominators of rational coefficients in a, (3 divide k. Then kl is an ideal and kl C 1\\fd\ C O i.e. 
kl is an integral ideal. ■ 

Recall that aZ + |Z = aZ + for any b' = b mod 2a so we can adjust the value of b to lie in 
any desired interval of length 2a. We will make use of the following basic choice: 
For a,b € Z with a ^ let r(6, a) be the unique integer t such that t = b mod 2a and 
—a < T < a if a > -n/D, 
VD -2a<T < VD if a < y^. 

Proposition 16 A subset I C Q[\/d] is an integral ideal of O iS I can be written as 

I^k(^aZ+^-±^Z^ (7) 
where a,b,k £Z with a > 0, k > 0, b — T{b, a) and 4a divides b^ — D. 

Furthermore this presentation of the ideal I as the triple of integers (a,b,k) is unique: ak is the least 
positive rational in I, k/2 is the least positive coefficient of ^/T) of any member of I and b — T{b,a) 
uniquely determines b. Also Af{I) = k^a. 

Proof (=>) Suppose that / is an integral ideal of O. By proposition 1141 we have 
/ = a'Z + f3Z where a' e Z is the least positive integer in /. 

/5 e / C O so we can write /3 = toi + ^+/° TO2 = for integers 6', k. Since /3Z -/3Z we 

can assume that fc > 0. Now a' £ I and G O so their product is in / so there exist integers 

TOi, TO2 with 

,(dWd\ b' + kVD 

a = TO,ia +TO2P = TOia +TO2( ). 
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Equating coefficients of \[D gives a! = m^k so k divides a! . Also +^^^ e / so similarly, there exist 
integers n\ , 712 with 

M + kVD,,D + VD, , ,b' + ky/D, 
( ^ )( ^ ) = nia +n2( ^ ). 

Equating coefficients of y/lj then shows that k divides b' . Writing a' — ka and b' = kb we get 
/ = k{aZ+ !^±^Z). In this expression fc/2 is uniquely determined as the least positive coefficient 
of ^/D in any member of /. Also ka is uniquely determined as the least positive rational in / so a 
is unique too. The condition b — T(b, a) then uniquely fixes the value of b. Finally we show that 4a 
divides £) - 6^ Since k{b + VD) /2 e I and {D + y/D) /2 e O we have 

l)D + {b + D)y/D ^ J. 




Hence it must be of the form k{xa + y^±^) for x,y G Z. Thus {b + D) = 2y and D{b + 1) = 
Aax + 2yb = Aax + b"^ + bD giving 4ax = D — b^ i.e. 4a divides D — b"^ . 

Conversely suppose that / has the form given in eq. {Tj) with a,b,k £ Z satisfying the given 
conditions. We show that / is then an ideal of O. Now / is clearly closed under Z-linear combinations 
of its members so it remains to show that O ■ I = I. Since O has integral basis {l,uj = it 
then suffices to show that II Q I and luI C I. The first is obvious and for the second it suffices to 
show kauj G / and k{ ^^^ )uj G /. Now kauj G / iff 



faD a r-\ , , (b+VD 

kauj — k \ — \ U — mika + •m2k 



2 2 J \ 2 

has a solution mi, m2 in integers. Equating coefficients gives mia + m2b/2 — aD/2 and 7712/2 — a/2 
so 1712 = a and mi = {D + b)/2. But b'^ = D + Aac so b^ = D mod 2 so b = D mod 2 (as b and 5^ 
always have the same parity). Hence 7711,7712 are integers as required. 

A similar calculation for fc(^ij^)^ gives TO2 = {D + b)/2 which is an integer and 7771 = which 
is an integer by hypothesis. 

Finally Af{I) = k'^a follows by direct calculation with the integral basis {ka, k ^^l^ }. ■ 
Remark A principal ideal / = aO can be given either by giving a value of a or by giving the 
parameters a,b,k E Z. Although there is a 0(poly(logQ;, logD)) time algorithm for translating a 
into {a,b,k) (cf. proposition 1171 below) the reverse translation appears to be a hard computational 
task (classically) - the best known classical algorithm has running time 0{e^^°^'^). Thus this in- 
terconversion corresponds to a one-way function which forms the basis of the Buchmann- Williams 
cryptosystem ^U] for key exchange (which can be broken by an extension ^ of Hallgren's algorithm) . 

Proposition 17 Let a — ^+y^ £ Q yjHh x,y E Z. Let k — gcd{y, {x + yD)/2) and u,v E Z such 
that 

uy + v{x + yD)/2 — k 
(which are guaranteed to exist by Euclid's algorithm). Then 

aO = k{aZ + ^-iy^Z) 

with k as above, a ~ \aa\/k'^ and b — t{{ux + y{x + yD)/2)/k, a). Hence the parameters (a, 6, k) of 
aO can be computed m poly(log |a;|, log |y|, log Z?) time. 

Proof Since O ^Z + ^+/^ Z, it follows that any a e O may be written as a = x' + y' °+/^ for 
x', y' eZ so a — ^+y^ with x,y e Z and {x + yD)/2 e Z. Also then, aO is generated (via Z-linear 
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combinations) by {x + y\/D)/2 and {x + y^/D){D + ^/D) / A = {{x + y)D + {x + yD)^/D) / A. Since k is 
the smallest positive coefficient of we get k — gcA{y, {x + yD)/2). Also N'{aO) — k'^a — \aa\ 

giving the claimed formula for a. 

The only elements of aO with y/I) coefBcient fc/2 have the form k{aw + ^+^ 1) = k{b' + Vd) /2 
where b' = b + 2wa and w G Z, so then b = T{b',a). Now ii k = uy + v{x + yD)/2 for u,w G Z 

then w^±|^ + viix + y)D + {x + yD)^/D)/4: is in aO and has the form k{b' + y/D)/2 where 
b' = (mx + v{x + y)/2)/k. Then = r(6', a) gives the claimed formula for b. 

Finally in fc = uy + v(x + yD)/2, u and v might conceivably be very large but the choice is not 
unique - we have the freedoms u —t u — s{x + yD)/2 and v ^ v + sy for any s S Z. Hence we can 
take V < y and then u = [k = v{x + y)D/2)/y is also suitably small making the whole computation 
of a, b, k performable in poly(log |a;|, log |y|, logZ?) time. ■ 

Using proposition 1151 with proposition 1 1 61 we get a corresponding unique presentation of a frac- 
tional ideal as 

k ( b + ^/D \ 
/=y(aZ+^— Zj (8) 

with I e N being the smallest such integer and a,b, k Z satisfying the same conditions as above. 
When the parameters a, b, k, I satisfy these conditions, making them unique, we say that / is in 
standard form. 



6 Reduced ideals and the reduction operator p 
6.1 Reduced ideals 

It will be helpful to introduce a geometrical picture of a fractional ideal / as a two dimensional lattice 
embedded in R^: if a e / we map it to the point a — (a, a) G (recalling that for a — p + qVd 
we define a = p — qVd). 

Definition 3 A minimum of I is an element a € I such that a > and there is no nonzero (3 € I 
with \f3\ < \a\ and \f3\ < \a\ i.e. d G lies in the right half plane and the rectangle defined by a 
(having corners at the four points (±a,±S) contains no lattice points inside it (except for (0,0) j. 
A fractional ideal I is called reduced i/ 1 G / and 1 is a minimum of I. 

Proposition 18 /// is reduced then its .standard form is 

/^Z+^Z 
2a 

i.e. in eg. ^ we have k — 1 and I — a. 

Proof Since 1 G / we have 1 = j{xa + yb + y^D) with a;, y G Z. Hence y = Q and kxa/l — 1. But 
1 G / is also a minimum so x = 1 (because if a; > 1 then (3 = k{x — l)a/l < 1 is an element of / with 
< /3 < 1 and < /? < 1). Thus ka = I so k divides I and the minimality of I in eq. ^ implies 
fc = 1. ■ 

Proposition 19 Let 

b + ^/D 
I = Z+ Z 
2a 

be a reduced ideal in standard form. Then a < \/D and \b\ < \ID . Hence the number of reduced 
ideals is finite. 
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Proof From the definition of r and b — T{b,a) we have |5| < a/D if a < \/D. To show a < a/D 
suppose on the contrary that a > y/D. Then from the definition of r we have |6| < a so l^-'^^l < 1 
and 1^-2^1 < 1 contradicting the fact that 1 is a minimmn (since ^^.^ G I)- Hence a < \fD. ■ 

Proposition 20 Suppose a fractional ideal has the standard form 

2a 

Then I is reduced iff > and b + \/D > 2a. 

Proof (=>) Assume / is reduced. By proposition ^| a < \Id and so & = t(6, a) hes in the 
range - 2a < 6 < -JD. If 6 < then |6| = -6 < 2a - -JD i.e. |6| + < 2a which 

contradicts the minimahty of 1 (as max(|^i^|, |^^^|) = ''''+^ ). Hence 6 > and if ^^^^ < 1 
then maxd^^t^l, |^^^|) = ^^^^^ < 1 again contradicting the minimahty of 1. Hence 

b + VD > 2a. 

(<^=) Conversely assume that 5 > and b + a/D > 2a. Let H{x, y) — max(|2a;a + y{b + |2a;a + 

y{b — \fD)\). Then / is reduced iff 1 is a minimum of / iff H{x,y) > 2a for aU a;, y G Z with 
{x,y) ^ (0,0). Since H{x,y) = H{—x,—y) it suffices to consider the two sectors a: > 0, y > and 
x>0,y<0. 

If a; > 0, y > and (a;, y) ^ (0, 0) then b + \Id > 2a gives |2xa + y{b + y/D)\ > 2a{x + y) > 2a so 
H{x,y) > 2a in this sector. 

For a; > 0, y < we first show that b - y/D < 0. Indeed b + y/D > 2a gives a < y/D + (6 - a). If 
a > y/D then the definition of r gives b < a and the contradiction a < y/D. Hence a < y/D and the 
definition of T again gives 6 < y/D i.e. b—y/D < 0. Then \2xa+y{b—y/D)\ ~ 2aa:+|y| |6— -\/D| > 2xa. 
Since a; > we get H{x, y) > 2a. ■ 

Corollary 1 The fractional ideal / = Z + ''^^^ Z is reduced if a < y/T)/2. 

Proof If a < ypD 12 then the definition of t gives 6 > and then also 6 + y/D > & + 2a > 2a so by 
proposition 1201/ is reduced. ■ 

6.2 The reduction operator p 

For a fractional (not necessarily reduced) ideal of the form 

2a 

we introduce the notation 

7(/) = (9) 

and define the reduction operator p mapping (principal) ideals to (principal) ideals by 

1 2a „ ^ 
pil) = — -/ = =Z + Z. 

' 7(1) b + y/D 

Since 4a divides b^ — D (cf. proposition El we introduce the integer c = \D — 6^|/(4a) and then 

2a _ 2a{b - y/D) _ ^b - y/D 



D b^-D 2c 
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Thus (as Z = ±Z) 



Z + Z= — Z + Z = Z+ ^ '^^v 



6 + VD 2c 2c 

Hence the standard parameters a', b' of p{I) = Z + ^-i^y^Z are 

6' = r(-6,c) a' = c=^^^— ^. (10) 

4a 

Remark Many treatments of this subject use a slightly more general notion of reduction. Recall 
that a general fractional ideal has the standard form 

kf b+VD\ ak ( b + ^/D\ 
I ^-\aL+ 1 = — Z + Z 

I y 2 j I y 2a j 

with a,b,k,l uniquely determined. Write = ■ Then in the more general formalism the 

reduction operator is defined by p{I) — and / is said to be reduced lika/l (the smallest positive 

rational in /) is a minimum. Thus / is reduced iff Z + 7(/)Z is reduced in our restricted sense (i.e. 
for the restricted sense that we're using, we also require 1 to be the smallest positive rational in /). 

Proposition 21 Let I = 'Z,+ ^^^^Z be a (not necessarily reduced) fractional ideal. Let Lo = L and 
li = p{Ii-i) = Z + ^'^^^^ Z. // li is not reduced then ai < aj_i/2 and thus Li is reduced for some 
i ^ riog2(a/\/^)] + 1- Let i-^cd be the minimal such i. Then a = YVj^i ^ a minimum in L 

and /red = /i„d ^I- 

Proof If ai_i > \/D then \bi^i \ < ai_i so 



\b1_i ~D\ a? .+D 



Aai^^ 4a,: 



<^ 



Hence Ui < VD for some i < [log(a/vr')]. 

Now assume that at < ypD and consider the two cases a^+i > and ai+i < a^. In the first case, 
we have — D\l{\ai) > Oi and also -JD — 2a, < bi < -JD so D — bf > 4af giving \/Z3 + > 2a,. 
Next we show that bi > 0, so by proposition [201 I will be reduced. If 6i < then \fD — 2ai < hi < 
gives \bi\ < \^/D — 2ai\ = 2ai — \fD in contradiction to ypD + \bi\ > 2ai. Hence bi > 0. 

In the second case: if a^+i < a; then afj^^ < OiOi-^-i = — —j-^- Thus a^-i-i < y/D/2 and 

corollary n implies that /i+i is reduced. 

Finally we prove the statement about a. Clearly /rod = I /ct and since /rod is reduced it follows that 
a must be a minimum in /. To see this think of the geometrical picture: we have / — a/rod so the 
lattice for / is obtained from the lattice for /rod by rescaling by a and a in the x and y directions 
respectively. Hence the interior of the a rectangle for / corresponds to the interior of the 1 rectangle 
for /rod which is empty except for the point (0, 0). ■ 

The right neighbour of a minimum a G / is the uniquely determined minimum Pr G / with 
least size Pr > a. The left neighbour of a minimum a G / is the uniquely determined minimum 
Pl & L with least conjugate size \I3l\ > \a\. 

Proposition 22 Let a G Q[>/d] with a > 0. Then for any fractional ideal / the mapping / — s- al 
is a bijection mapping minima to minima and left (resp. right) neighbours to left (resp. right) 
neighbours. 
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Proof This is immediate from the geometrical picture of muhiphcation by a as just rescahng the 
lattice by a and a in the x and y directions respectively. ■ 

Proposition 23 If I — Z + 7(/)Z is reduced then > 1 and —1 < 7(1) < 0. 

Proof By proposition 1201 if / is reduced then 7(7) — (b + \/Z?)/(2a) > 1. Also by proposition [TDl 
a < \fD so ^^D - 2a < 6 < VD so -1 < (6 - VZ?) /(2a) < 0. ■ 

Proposition 24 /// = Z + 7(/)Z is reduced then 7(1) is a minimum of I and p{I) is again reduced. 

Proof Write 7 = 7(1). To see that it is a minimum of / we need to show that if a; +2/7 (with x,y G Z) 
has |x + 2/7! < I7I and \x + yj\ < \j\ then x = y = 0. Without loss of generality we may assume 
a; > 0. Suppose the above conditions hold for x.y £ Z. Since x > 0, 7 > 1 and —7 < a; + j/7 < 7 we 
see that y < 0. Write ^ = I7I so < ^ < 1 and \x + y^\ < I7I gives —^<x — y£,<^. Since a; > we 
get —y£, < £, so y > —1. But we had y < so ?/ = is the only possibility. Then |a;| < |^| < 1 gives 
a; = 0. Thus 7 is a minimum of / and by proposition 1221 o(I] is again a reduced ideal. ■ 

Proposition 25 Let I — Z + "f{I)Z be a reduced ideal. Then the minimum "f{I) £ I is the right 
neighbour of 1 in I . 

Proof Suppose that a = a: + ?/7(/) is the right neighbour of 1. We first show that y > 0. li y = 
then a = a; so a; > 1 i.e. a > 2, a = a and the a rectangle contains (1, 1) i.e. a cannot be a 
minimum. 

If y < put y = —k for fc > 0. Then a = a; — ^7 > 1 and 7 > 1 gives a;>l + fc7>l + fc. Then 
a = a; — A:7>l + fc — fc7>l + fc(as7<0). Hence again the a rectangle contains (1, 1) so a cannot 
be a minimum. Thus y > 0. Next we show that a; > 0. If a; < put x = —k for fc > 0. Then 
a = —k + y"f > 1 and a = — fc + 7 < — fc < —1 i.e. a < —1 and the a rectangle contains (1, 1) i.e. 
a cannot be a minimum. Hence a — x -\- yj with a; > and y > are the only possibilities and the 
smallest such a > 1 is a = 7 which actually is a minimum by proposition 1241 ■ 

6.3 The principal cycle of reduced ideals 

Since O — Z + ^^^ Z = Z + liHS^^/^i, we see from proposition I2UI that O is a reduced principal 
ideal of O. Thus = 1 G O is a minimum and for i G Z let be the left neighbour and ai+i 
the right neighbour of the minimum ai G O. Also let Ji = -^O = Z + 7iZ. (Note that since ai 
is a minimum of O, proposition 1221 shows that 1 G Ji is a minimum so Ji is reduced and hence by 
proposition [THI has the form Z + 7iZ.) 

Since ai+i is the right neighbour of Ui in O it follows that a^+i/ai is the right neighbour of 1 in 
-^O and proposition 12 51 gives a^+i/ai = 7^ i.e. 

ttj+i = ai-fi and J^+i = p{Ji). 

Remark (Geometrical picture of the sequence of minima) If we plot the points cxi G they all lie 
in the right half of the plane {ai > 0) on a pair of hyperbola-like curves (like y = ±l/a;) alternating 
with ±y values as i varies. To see this recall that cti+i > ai (by definition) and so < \ai\ 

(since > \ai\ would imply that ai is inside the a,;+i rectangle) i.e. the sequence is 

monotonically decreasing with increasing i. To see that Ixi and oli+i have opposite signs consider 
Ji = O I ai = Z + 7iZ. As noted above we have ai+i/a^ — 7^ and proposition 1231 gives — 1 < 7^ < 
so < 0. 

Proposition 26 For all j G Z 

In Q!i+i - In Q!i < - In D 
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Proof We have a^+i/ai — 7^ where Ji = Z + ^{L is a reduced ideal and 7^ — ^'2!^^ - Since Ji 
reduced, proposition [T^ gives bi < \/D so 7^ < < giving \n{ai+i/ai) < ln-\/D- ■ 

Proposition 27 For all i E 'Z 

3 



IS 



Intti+i — Inofi > hi 1 + > 



lez? y - 32D 

(Remark: In (at eq. (5.4)) a stronger lower bound of ln(l + l/VU) is claimed but the above will 
suffice for our purposes.) 

Proof As in the proof of proposition 1261 we have 

=l^^ O > 1- 

ai Zui 

Omitting the subscripts i we have ^^^t^ = 1 + ''+'^~^° . Let e = ^/D - [Vd\ and ^ = ''+^~^° = 
VD-{2a-b) ^ rpj^g^ since < a < \/D and £ > with 2a — 6 e Z we have 



Write = [/DJ and D = + L with 1 < L < 2is: + 1 < ^ ^ K^l + L/K^. We apply 

the binomial inequality 

1 + a;/2 > VTTx > l + x/2- /S 
and for < x < 1 we have < x so VT+lr > 1 + 3a;/8. Hence 

3i 3 
^> K+—> K+—> K 



8K 8K sVD 

as K < ypD. Thus e > and ^ > so a^+i/Qi > 1 + jI^. Finally using (for < x < 1) 

ln(l + x)> x- x^/2 > x-xj^^ xl2 

we get h\{ai+i/ai) > ln(l + > ■ 

Thus we have upper and lower bounds on the separation between consecutive Ina^ values. How- 
ever the lower bound is exponentially small (in log I?) and we next give a constant lower bound for 
the separation between every second member of the sequence. 

Proposition 28 For all i El 

Inai+i — Inofi-i > In 2. 

Proof We saw previously that oli^i and S^+i have the same sign and the sequence \a.i\ is strictly 
decreasing with i. Hence \ai+i — ai-i\ < Now if ai+i/ai-i < 2 the we would have a^-i < 

a^+i < 2ai_i so < cti+i — a^-i < a^-i i.e. if we write (3 = ai+i — a^-i then f3 lies inside the 
di-i-rectangle. Since ai±i € O we have P £ O and this contradicts the minimality of a^-i. Hence 
ai+i/ai_i > 2. ■ 

Proposition 29 The sequence {ai} contains all the minima of O. 

Proof Let a e O be any minimum. From propositions 1261 and 1281 we see that limi^±oo on = ±00 
so there must be an « G Z with ai < a < cti+i. We claim a = ai. Otherwise a > ai contradicting 
the definition that a^+i is the minimum with least size greater than ai. ■ 
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Theorem 4 (The principal cycle of reduced ideals). 

(a) The sequence {Ji\i<zj, is periodic i.e. there is (a smallest) /cq € N such that Ji — Jj iff i = 
j mod fco for all i,j e Z. The repeating segment {Jq = O, Ji, . . . Jko-i} of principal reduced ideals 
is called the principal cycle. 

(h) Let e — ol\^^Ioiq — ol\^^. Then e — eg, the fundamental unit of O. 

(c) Let L be any reduced principal fractional ideal. Then L is in the principal cycle. 

Proof (a) By proposition ^| the sequence {Jijigz contains only finitely many different ideals. 
Hence for some k G we liave Ji = Ji+k so UiO = Ui+kO. Write 77 = ai+k/oti. Since a^+fe — rjUi 
it follows from proposition 1221 that cts+fc = ryas for any s G Z and Js — Js+k = Js+ik for all Z, s G Z. 
Set s — Q and choose the minimal such that O = Jkg = otk^O. Write e = ak^ which is necessarily 
a unit of O by proposition IIQI Then J; for < i < fco are pairwise distinct and 

Js — Jt iff s = f mod fco for s,t E Z iff as — ate' for some I S Z (11) 

(b) To see that e — ako is the fundamental unit eo of O let 77 be any unit with 77 > 0. Then 77 is 
a minimum of C (because if ^ G O has |^| < I77I and |^| < I77I then ^/ry G O has 1^/77! < 1 and 
\^/v\ = \^/v\ < 1 contradicting the minimality of 1 in O). Hence by proposition 1291 rjO = Jk for 
some fc G Z. But rjO = O if r/ is a unit so eq. Hll|l gives 77 = e' for some / G Z. Hence e = eo the 
fundamental unit. 

(c) Since / is principal we can write / = ^O. Hence O — al and since 1 is a minimum of / 
proposition 1221 shows that a is a minimum of O. Then proposition 1291 shows that I ~ Jk for some 
fc. ■ 



Proposition 30 The length fco of the principal cycle satisfies 

2R , 2R 

< fco < 



InD - " - ln2 

Proof We have i? = Ineo = Inct/j,-, = In ak,, — Inao (as ao — 1). Then proposition 1281 gives 
^ln2 < i? i.e fco < 2i?/ln2. Similarly proposition [Reives fcol^lnD) > R. M 



6.4 The inverse of the reduction operator 

Recall that if we apply the reduction operator p sufficiently many times to 7 = Z + ^^^Z we will 
always eventually obtain a reduced ideal. As a > can be arbitrarily large, there are infinitely many 
distinct ideals of this form. We also know that there are only finitely many reduced ideals and if I 
is reduced then p{I) is reduced too. Hence as a mapping on general ideals p cannot be one-to-one. 

However if we restrict to the subset of reduced principal ideals i.e. the principal cycle VT^cd = 
{Jo = O, Ji, . . . , Jfe(,_i} then we have J^+i = p{^Ji) (cycling with p{Jkg-i) = Jo) so p is invertible 
and we now develop an explicit expression for the inverse map p^^. Then together with the formula 
for the action of p (in eq. (|10|l ) we will be able to step in either direction along the principal cycle. 

Let / = Z + ^^.^ Ij = Z + 7Z be any reduced ideal. We define the conjugated ideal 

- b-VD T(-b,a) + VD 

all) = / = Z + — ;-^Z = Z + — J Z 
2a 2a 

where the last expression (using Z — — Z) is in standard form. In terms of the geometrical picture 
of ideals, with a G / embedded in as a = {a, a), we see that the conjugation operation simply 
reflects the lattice in the 45° line y = x. Then the following facts are immediately evident: 

(i) If I is reduced then / is reduced (i.e. 1 stays a minimum under conjugation). 

(ii) If a is a minimum in / then \a\ is a minimum in /. 
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(iii) If a is the left (right) neighbour of a minimum P in I then |a| is the right (left) neighbour of 
the minimum |/3| in /. 

Now write — T{~b, a). Then since S — '^(^^^^y+^ — ''"to^ ^^"^ right neighbour of 1 in the 
reduced ideal / (cf. proposition [SHJ, we see that 



1^1 



2a 



2^ 



is the left neighbour of 1 in /. Hence by the definition of p{I) = -I we get 



2a 



\S\ VD-b, 



Z- 



b+V D 
2a 



Z 



To express this in standard form note that —b and 5* differ by a multiple of 2a and Z — — Z so we 



2:et Z - 



i^Z = Z + ^^^^^^Z so 



2a 



p-\l) = 'L + 



2a b^ + Vd 

— z = z+ — z 

D -b^ 2c* 



where c* = (D — fej)/(4a). Hence if p ^(/) = Z + ^-^tt^Z is the standard form, we have the explicit 
formulae: 



b, =T{-b,a) 



4a 



b" = T{b,,a"). 



(12) 



Remark From the geometrical picture we also see that p~^{I) — (jpa{I) and above we saw that 
a induces the mapping a ^ a, & ^ 5*. These formulae together with eq. H1Q(I may also be used to 
derive the above expressions for p~^. ■ 

Since < a, 6 < a/D for reduced ideals we see from eqs. ()10|) and (|12|l that the action of p and 
p~^ may be computed in poly log Z? time. 



7 The distance function for ideals 

Let Ii and I2 be fractional (principal) ideals of O which are related by Ii = 7/2 for some 7 € Q[Vd]- 
Then the distance S{Ii,l2) is defined by 

(5(/i,/2) = ln|7| mod i? (13) 

(recalling that i? = Ineo where eq is the fundamental unit of Q[\/d]). If Ii ^ 7J2 for any 7 G Q[\/d] 
then the distance is not defined. 

Note first that although 7 is not unique, (5(/i, I2) is well defined: if Ji — ^' I2 as well as Ii — 7/2 
then by proposition 1 1 01 we must have 7' = £7 = eg7 for some /c G Z. Hence In 7' = In 7 + kR. Also 
from eq. 1)1 3|l we have I2) = —^ih, h) (when either is defined). 

Of particular interest will be the distance 5{0,I) of any principal ideal from the unit ideal O. 
We write 5{I) for 6{0,I). 

Now recall the principal cycle of reduced ideals Ji = O jai = Z + 7iZ with i = 0, 1, . . . , /jq ^ 1- 
Thus (5(Ji) = Inofi and (5(Ji, Jk) = Inafe — Incti. We also had J^+i — p{Ji) and a^+i = ^iOn. Then 
propositions 1211 EH and EHl immediately give the following. 

Proposition 31 For all i £ Z 

^<S{J.„p{J.))=lnj,<^\nD. 
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Proposition 32 For all i ^ Z 

<^(J^,p'(JO) >ln2. 



Furthermore for principal ideals that are not reduced we show that the reduction process of 
proposition 12] leads to a reduced ideal /rod that is close in distance to /. 

Proposition 33 Let I = "L+^^Z he any (not necessarily reduced) principal fractional ideal. Let 
us place ideals along M at positions corresponding to their distances from O at 0. In the notation of 
vronosition \21\ let ijod be the least integer such that /rod — p^'""^{I) — ^/ is reduced. Let Jk be the 
nearest member of the principal cycle to I with the property that ak has opposite sign toa ( recalling 
that the aj 's alternate in sign). 

Then I lies between Jk-i and Jk+i and /rod is one of Jk~i, Jk, Jk+i- Thus also 

|5(/,/red)| <ln/? 

and S{p'^{Ircd) > S{I). 

Proof Recall that a is a minimum of /. The fact that / lies between Jk~i and Jk+i with Jk as 
above, and that /red is one of Jk-i, Jk, Jk+i, follows from the geometrical picture of ideals as lattices 
in (as claimed in j^). 



I can't yet quite see how this works and proofs from readers - to richard@cs.bris.ac.uk ~ would be 
most welcome! 



Given these facts proposition 1311 gives |(5(/,/rod)| < In/? and since p cycles consecutively through 
the principal cycle we get (5(/0^(/rod) > S{I). ■ 

7.1 Products of ideals — making large distance jumps 

We will need an efhcient method of locating ideals (and their distances) that are far out along the 
exponentially long principal cycle. Of course applying p repeatedly to O will eventually reach any 
ideal on the cycle (and we can accumulate the successive distance increments too) but in view of 
proposition!^ for exponentially distant ideals this will require exponentially many steps. Hence we 
introduce a method of multiplying ideals together (with corresponding addition of distances) which 
will allow large distance jumps via iterated squaring. 

If /i and I2 are ideals then the product /i • I2 is defined to be the Z-linear span of the set 
{a/3 : a £ Ii, P G I2}. /i • /2 is clearly again an ideal. If {01,0:2} and {Pi, (32} are integral bases 
of /i and I2 respectively then Ii ■ I2 is the Z-linear span of {aiPi, ai(32, ct2Pi, ck2/32}- For principal 
ideals given as /i = ^lO and I2 = ^20 we simply have Ii ■ I2 = ^i£,20 but we will be interested in 
computing products of (reduced) ideals in the presentation of eq. 

Proposition 34 Let 

b, + ^Td 

I,=atZ+- — Z i = l,2 

2 

be principal ideals. Let k = gcd(ai, 02, (61 + &2)/2) and let u, v, w be integers such that 

uai + va2 + w{bi + b2)/2 = k 
(which are guaranteed to exist by Euclid's algorithm). Then 

/3=/i-/2 = fc(a3Z+^^z) 
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where 

a3 = aia2/k^ and 63 = r((uoib2 + va2bi + ^ ^ — -)/k,a3). 



Proof Let kia^L + ^^^^ 'K) be the standard representation of I3 (as in proposition I15|l . For 
principal ideals / = we had7V(/) = \^\ (of. proposition lT^ ^oMilz) = M{I\)M{l-2)- Then using 
the formula for M(l) in proposition 1151 we get k'^a^ — a\a2 so 03 = aia2/k'^- To derive the claimed 
formula for k note first that (cf. proposition 6^ — Z? is a multiple oi A so h\ = D mod 2. Hence 
bi = D mod 2 (as integers and their squares always have the same even/odd parity). Similarly 
1)2 = D mod 2 so 61 = 62 mod 2 and (61 + 62)72 is an integer. Next recall that k/2 is uniquely 
determined as the least positive coefficient of \/lJ in any member of I3. But I3 is generated over Z 
by aia2, ai(62 + ■\/D)/2, 02(61 + ^fD)/2 and (6162 + (61 + b2)VD + D)/4: so the allowable coefficients 
of \/D have the form ^{xai + ya2 + z{bi + 62)72) with x,y,z G Z. Hence Euclid's algorithm gives 
k = gcd(ai, a2, (61 + 62)72). Write 



A: = uoi + ua2 + w(6i + 62)72 for u, -y, w G Z. 



Then we must have 



,/63 + Vi^\ 62 + \/D , 61 + Vi? , 6i62 + (6i+62)\/i? + D , 

k = uai h va2 h w h saia2 



for some s G Z. Equating coefficients of the v D-free terms we get 

63 = - (1*0162 + ^0261 + w(bib2 + -D)72) + 2saia2/k. 
k 

Since aia2/k = ka^ the final term is an even multiple of 03 and the uniqueness condition 63 = 
''"(63,03) gives the claimed formula. ■ 

It follows immediately from the definitions that 

6{Ii ■ I2) ^ Sih) + Sih) 

if we do not reduce the sum of the distances mod R. We also point out that even if Ii and I2 are 
reduced then Ii ■ I2 is generally not reduced. 

We will use products primarily in the special case that Ii = I2 = I where 

, _ b + ^/D 1 / „ b + VD\ 

/ = z + z = - Uz + 

2a ay 2 j 

is a reduced ideal in the principal cycle. In that case proposition 1341 gives 

^(«'-^-) 

with 

fc' = gcd(o, 6) = Mfl + w6 a'^aVfc'^ b' T{{ua + w{b^ + D)/2)/k' ,a') 

so 
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Here a', 6', k' are unique and explicitly calculated so we can consider the ideal 



2a' 



which is generally not reduced. Since / was reduced we have Q < a,b < \/ D and so k' = gcd(a, b) < 
VD. Hence |(5(/2,/2)l = Infc' < ^\nD. Next use proposition 12 II to obtain a reduced ideal I2 from 
I2, which will be a member of the principal cycle (by theorem 01 (c)). Furthermore by proposition 
Ellwe have |<5(/^,/^')l < In-D so |(5(/2,/2)l < llnD. Hence in view of proposition 1321 if we apply p 
or p^^ to I2, 2n times where rt < (| InD)/ ln2 = 0{lnD), then we can locate the first member Jk 
of the principal cycle with distance 6{Jk) > '2S{I) (and also compute its distance S{Jk))- We denote 
this uniquely determined ideal Jfc by / * / i.e. for any member / of the principal cycle, J * / is the 
first member with distance exceeding twice the distance of /. (In the above construction if 2d{I) 
exceeds R then we simply wrap around the principal cycle, passing through O again.) 

Let us now estimate the computational complexity of computing / * / from /. Since / was 
reduced we have a,b = 0{VD). Also in k' = ua + wb the integers m, w are not unique and we have 
the freedom (leaving fc' unchanged): 

u ^ u ~ xb w w + xa for any x € Z. 



Hence we can always make u < b — 0{VD) and k' — ua + wb gives w — 0{D) too. Thus a', 6', k' 
are all at most O(D^) and the arithmetic calculation of I2 can be performed in 0(poly logD) time. 
Furthermore the reduction operation of propositionl2 II requires 0(log(a'/\/Z?)) steps for a' = 0{D^) 
and to compute I2 — I * I we apply p^^ or at most (| In I?)/ In 2 = 0{lnD) times. Hence the 
entire computation of / * / from / can be performed in 0(poly logD) time and we have proved the 
following. 

Proposition 35 Let I be a reduced principal ideal. Consider the iterated *~ squaring: 

I ^ =1^1^ ^ /(2) ^ /(2) ^ , /(2") _ j(2"-i) ^ j(2"-i)_ 

The final ideal I^^ ^ has distance 5[l'^'^ ^) > 2"(5(/) (where we have not reduced the growing distances 
mod R) and this ideal (with its unreduced distance) can be computed in O (poly (log I?), n) time. 

More generally if Ii and I2 are reduced ideals 

/.=Z+^i±^Z 
2ai 

(so < Oi, 6i < ^fD) we define Ii * I2 to be the first member of the principal cycle whose distance 
exceeds 5{Ii) + S^h)- Then following the methods above it is easy to see that h * h (i.e. its a,b 
parameters) can be computed in poly log D time from ai, a2, 61, 62- 



8 Summary — the picture so far 

Given d we have the algebraic integers O C <Q[\/rf] and a finite (but exponentially large in log d) set of 
principal reduced ideals { Jo = O, Ji, . . . , Jfco-i} of C Each Jj is defined by a pair of integers a, b with 
< a, 6 < a/D and hence has a poly log c? sized description. We write Ji = Z + 7iZ = Z + '''^^^^ Z. 

The reduced ideals Ji can be placed around a circle of circumference i? = In ep at irregularly 
spaced distances 5{Ji) from the ideal O at distance 0, giving the so-called principal cycle. Since Ji 
is principal it has the form Ji — aiO for some G Q[v^] and then 5{Ji) = In \ai\ mod R. 
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We have a reduction operator p such that Jj+i = p{Ji) and p and p ^ are polynomial time 
computable mappings allowing us to step either direction around the principal cycle. 

We have an (exponentially small) lower bound dmin — 3/(32D) on the distance between consec- 
utive ideals Jj and an upper bound of 5 InD. We also have a constant lower bound of In 2 on the 
distance between Jj and Ji+2- 

If Ji is given in the form 1j-\-^{L then we cannot compute 5( Jj) in poly log d time (e.g. we cannot 
translate Z + ^{L efficiently to the aiO description). But we can efficiently compute the distance 
increments induced by p and obtain the distance increment from Jj to Ji+i in time poly log d if 7^ 
is given. 

The above method docs not allow us to efficiently move far out along the principal cycle starting 
from O (as this would require exponentially many steps). To achieve such large jumps we introduced 
a product operation 7* J on reduced ideals /, J with the property that 7* J is the first reduced ideal 
having distance exceeding (5(7) + (5( J). 7* J and (5(7* J) arc then efficiently computable so by iterated 
*— squaring of J2 = (?(P) having i{Ji) > In 2 we can move out to a distance exceeding 2" In 2 in 
poly(logd, n) time. If 2" In 2 exceeds 7i as n increases, the increasingly distant ideals simply wrap 
around the circle while the distance we compute is not reduced mod 7?. 

9 The periodic function for Hallgren's algorithm 

Recall that "PXred denotes the (finite) set of all reduced principal fractional ideals i.e. the principal 
cycle, and (5(7) denotes the distance of 7 from the unit ideal O. Define /i : K — > "PXred x M as follows. 
Let X = X mod R with < i < i?. Then 

h{x) = {Ix,x- S{Ix j} 

where G VTrcd is the ideal having greatest distance 5(1^) < x. In other words, if we place ideals 
7 along the real axis at positions in [0,7?) given by their distances (5(7) from O at x = 0, and 
periodically reproduce this pattern in each interval of length 7?, then is the ideal that is nearest 

to the left of x and x — S{Ix) is the distance gap up to x. 

Remark Intuitively we simply wanted h'{x) = Ix but we include the information of the positive 
distance gap x — S{Ix) in the value of h{x) to ensure that /i is a one-to-one function within each 
period (noting that h' is constant for x varying between consecutive ideals). 

The main point of our whole development of the theory of reduced ideals is to prove the following 
result. 

Theorem 5 The function h is computable in polynomial time. More precisely, if x is an integer 
multiple 0/ 10~" we can compute the ideal I x exactly and an approximation of x — 5{Ix) accurate to 
I0~" in time poly{\og D Aog X , n) . 

Also h is a periodic function with period R and it is one-to-one within each period. 

Proof Clearly from the definition, h is periodic and one-to-one within each period. 

Given x we can compute the ideal Ix ^ (a, b) as follows. Recall that the action of p and p~^ on 
a reduced ideal can be computed in poly log 7? time. We start with O ~ (r(7?, 2),I) at 6{0) = 0. 
Apply p twice to get Iq = p'^{0) with InT) > 5{Iq) > ln2. Write A = d{Io)- Compute a sequence of 
ideals Iq, h, I2, ■ ■ ■ by repeated *— squaring i.e. Ik+i = Ik* Ik- Hence 

2d{Ik-i) < S{Ik) < 2d{Ik-i) + \ In 7? 

and so (5(7^) > A2^ (and we are not reducing the distance mod FC). We terminate the iteration 
with k = N when d{lN+i) first exceeds x, which always happens for N < [log2(a;/A)] . 
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Now take In and continue moving towards x from the left in successively smaller steps, first using 
*— products with /^v-i, then In-2 etc, ensuring each time to stay to the left of x. More precisely 
if we are at a reduced ideal J and we are using Ik then we compute J * Ik with 5{ J) + 5{Ik) < 
5{J * Ik) < S{J) + 5{Ik) + 5 InZ? and replace J hy J * Ik so long as S{J * Ik) < x. If S{J * Ik) > x 
we discard it and try J * Ik-i- Finally after 0{N) = 0(loga;) steps, finishing with Ii we will have 
computed a reduced ideal J* to the left of x with x — S{J^) < A + ^\nD < | InD. 

While doing all this with the ideals we also carry along a parallel computation of their accumulat- 
ing distances (but not mod R) using the formula S{I, p{I)) = In I7I for / = "L+^Ij and proposition!^ 
calculating to a sufficient accuracy that will give the final 5{J) (at the end of our process continuing 
below) to the desired accuracy. 

Finally we repeatedly apply to J* until the distance again exceeds x. This will require at most 
(| \nD)/ In 2 steps. If J' is the last such ideal to the left of x then I^ will certainly be either J' or 
p{J') which we can determine by finally checking if 5{p{J')) exceeds x or not. 

As mentioned above, while doing all this with the ideals we also carry along a parallel computation 
of their accumulating distances. Since n digit arithmetical operations are computable with poly(n) 
effort, this whole process gives the full value of h{x) - with I^ precisely and x — 5{Ix) to n digits of 
accuracy - with poly(logD,loga;,n) effort. By proposition |^ if 10^" < dmin — 3/(32_D) (a lower 
bound on the minimum distance between ideals) , we will certainly have located the nearest form to 
the left of X. (If n is not sufficiently large, we still always work to an accuracy which is at least as 
fine as the above bound.) ■ 

Proof of proposition |2] Given \R\ or [i?J we use theorem O to compute the closest ideal / to 
the left of \_R\ and also its distance (to any desired accuracy). Thus 5{p{I)) > [R\ and 6{p^{I)) > 
[i?J + ln2 > [i?]. It follows that either p{I) or p'^{I) must be O = Jo and its distance (that we 
compute) gives R. ■ 

10 The quantum algorithm for irrational periods on M 

Suppose we have a function on M that is periodic with (possibly irrational) period R 

f -.R-^ X f{x + R)^ f{x) for all xeR. 

To apply the quantum period finding algorithm we will need to suitably discretise /, by taking 
values that are integer multiples k/N oi 1/N (for suitably large N) and ii X also contains continuous 
variables it should be discretised too, to ensure that exact calculations can be performed. 
For example if / : M ^ M then we could define 

/ : Z ^ i-Z 



by 



/»-L/(^)Jiv 



where we use the notation [x\ n to denote the value of x rounded down to the nearest multiple of 1/iV 
(and similarly \x~\n for rounding up). We would want / to contain suitable approximate information 
about the period R but unfortunately this is not guaranteed: suppose that / has a very large variation 
in the region of diameter 1/N around x — k/N. Then although f(k/N) — f{k/N+lR) exactly for all 
? G Z, if we round IR down (or up) to the nearest multiple of 1/N then the values of f{k/N+ [IRl^) 
could vary arbitrarily with I because (for irrational R) the rounding gap < IR— [Zi?J at < 1 /N is 
generally dense in the interval [0, 1/N] as I ranges over Z. Thus the periodicity may not be evident 
(even approximately) in /. To rule out such behaviour, we introduce the following notion of "weak 
periodicity" which will suffice for our applications. 
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Definition A function / : Z ^ X is called weakly periodic with period 5 £ M if for each 
< A: < [S"] and each I e Z 

either f{k + IIS\ ) or /(fc + \IS^ ) equals f{k). (14) 

We write /(fc) = /(fc + [IS]) where the notation [IS] denotes a chosen one of the two values [IS\ or 
\IS~[ (and the choice may vary with fc and I). 

Remark In our applications / with period 5' will arise from a computational problem with some 
input size a and S will grow as logS* = 0(poly((T)). Then we will require the condition cq. (|14() to 
hold only for a suitably large fraction 1 — ^^^^^^^ of the values < fc < [5J . ■ 

Recall our fundamental function with period R (the regulator): 

h:R^ VIrcd X R h{x) = (4, i - 5{I,)) 

where Ix is the reduced principal ideal closest in distance to the left of x and x — 6{Ix)) is the 
distance gap from Ix to x. Define 

flN-.Z^ VI,od X j^Z llNik) = {Ik/N, [k/N ~ 5{Ik/N)\N) 

i.e. we compute h(x) for x = k/N and round the distance gap value down to the nearest integer 
multiple oil/N. 

Proposition 36 (i) Hn is one-to-one on < k < [NR\ . 

(a) /lAr(fc) is computable in poly(log fc, log A^, logd) time, so if N and fc are 0(poly((i)) then /lAr(fc) 
is computable in time poly(log(i). 

(Hi) Let dmin = 3/ (321?) be a lower bound on the minimum distance between reduced ideals, and recall 
that a = \ogd is the input size for the computation. If N is sufficiently large i.e. 1/N < dmin/ ^ogd 
then hN is weakly periodic with period NR. In fact the condition eq. ^14)) holds at all values 
< fc < L-^^J except possibly at the largest multiple fc /N of 1 /N to the left of each reduced ideal 
(which is at most a fraction 1/ logc? of the values). 

Proof (i) hN{k) = hN{l) means that k/N and l/N have the same nearest ideal on the left and 
the distances to it (from k/N, l/N) are the same when rounded down to the nearest multiple of 
But [k/N — l/N[ > l/N if fc ^ / so the rounded distances must then be different. Hence 
/lAf(fc) = JlNil) ^ k = I. 

(ii) This is an immediate consequence of theorem [S] noting also that arithmetic operations with 
integers of size 0{N) (such as rounding operations) can be performed in poly (log A^) time. 

(iii) Consider any fixed value < fc < [NR\. Let /' at distance 6{I') ^ xq < k/N be the nearest 
ideal to the left of k/N, with distance gap uq/N + ei where ng G N and < ei < 1/A^. Since h 
is exactly periodic, /' is also the nearest ideal to the left of k/N + IR, having the same distance 
gap. But now k/N + IR is not an exact multiple of l/N so consider rounding it up and down to 
[k/N + IR\m and [k/N + IR[n- Let the corresponding rounding distances be £2 (down) and £3 (up). 
Thus £2 + £3 = 1/A^. We then have the following unrounded distances back to /': 

from fc/A^: ?io/A + £i; 

from [fc/A + IR\n: tiq/N + ci - 62 = n^/N + d - l/N + £3; 
from [fc/A + IR]n- n^/N + £1 + £3. 

Hence if £1 + £3 > 1/A then fc/A and [fc/A^ + IR\n will have the same rounded distances and 
hN{k) = h^ik + [^i?J). (Note that the rounded down position [k/N + IR\n can never pass to the 
left of /' because £1 + £3 > l/N so the unrounded distance uq/N + £1 — l/N + £3 > uq/N). 
If £1 + £3 < 1/A^ then fc/A and \k/N + IR^n will have the same rounded distances to /'. But 
rounding k/N + IR up to \k/N + Zi?] at may cross over another ideal /" located in the gap between 
these two values. This can happen only if k/N is the greatest multiple of 1/A^ to the left of /". 
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Thus, except for this eventuahty, we have h^ik) — hiq{k + f'^^])- 

In summary, the weak periodicity condition eq. H14|) must hold at all k except possibly those k 
with k/N being the largest such value to the left of a reduced ideal. Now if < dmm/logc? i.e. 
N > \ogd/ dmin then we have at least logo? points between any two ideals so the weak periodicity 
condition will hold at least for a fraction (log d — 1)/ log d= 1 — 1/ log d i.e. 1 — 1 /poly (log d), of all 
k values. ■ 



Theorem 6 Suppose that / : Z — > X is weakly periodic with period S and 

(a) f{k) is computable in poly (log fc, log 5) time; 

(b) f is one-to-one for < k < \_S\; 

(c) given an integer m there is a poly(logS') time algorithm that will test if m is close to an integer 
multiple of S or not i.e. if \jS — m| < 1 for some j € Z or not. 

Then there is a quantum algorithm with running time poly(logS') that outputs an integer a with 
\S — a\ < 1 with probability > l/poly(logS'). 

Proof Introduce some further notation: [x] for the nearest integer above or below x. Thus \x — 
bll<l/2. 

We will use quantum Fourier sampling in a dimension q with q > (cf. later for the origin of this 
choice) and q a power of 2 (for ease of efficient implementation of the quantum Fourier transform). 
Construct the state 

— |m) |/(m)) 

which by (a) can be done in poly(logS') time. Write 

q = pS + r p,r G 1, < r < S 

i.e. pS is the largest multiple of S that is < q so pS < q. Measure the second register to obtain in 
the first register: 

1 



for < fc < \_S\ chosen uniformly. 

(Note: here we have assumed that the weak periodicity condition eq. H14() holds for all fc. If it holds 
only for a fraction 1 — l/poly(log5) of the k values, then the state l-^o) will be slightly modified and 
our estimates below will be altered by a suitably small (1 /poly (log 5*)) amount. Our final conclusions 
will remain valid but for clarity we will omit explicit analysis of these extra obfuscating variations.) 
Next apply the quantum Fourier transform mod q to \ijjo) to obtain the state aj \ We will 
be interested in the output probabilities |ajp and these do not depend on k (by the shift invariance 
property of the Fourier transform). Hence (wlog) we will set fc = 0. Then 



1 P-i 



Write [IS] — IS + Si with — 1 < (5; < 1. Consider those j's that are nearest to an integer multiple of 
q/S: 

■ ^^kq^^kq^^ < fc < 5 and -i < e < i (15) 



and also those j's that are not too large: 



log A 
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For these j's we have 



jjlS] ^N/jc , eS kSi eSi 

= - + -){IS + di) = — + — + — mod 1 

q b q q S q 

where we have removed the integer ^IS. Smce we are taking j = kq/ S + e < q/ \ogS and |e| < 1/2 
we get k/S < 1/ logS + l/{2q). Also \Si\ < 1 and q > 3S^ so 

,kSi eSi, 1 11 2 
' ' ' < ^ + ::- + ^ < 



' S q ' \ogS 2q 2q - logS' 
Then writing A — eSp/q we have 



1 



where 



kSi , 6(5/ 

and A = eSp/q has (recalhng pS* < q) 



2 



e(0 = ^ + y has 1^(01 < 



\A\ = \'-^\<\e\<l. 
q 2 

Hence by lemma 13 below there is a constant c such that 

,,2^1 2 cp cp c 
\aj\ > —cp = — > — = - 
pq q pb b 

i.e. for each j satisfying eqs. 1)15(1 and ((16|l we have 

pro5(j) > 

and they are uniformly distributed. How many such j's are there? We have j — [■^] < q/logS 
so < fc < 5/ log S. Thus the probability of getting a j value that satisfies eqs. (|15|l and H16() is 
> c/logS. 

Running all the above twice we will obtain two such j values (called c and d) : 

c=L§l rf=L|l (17) 

having gcd(fc,^) — 1 with probabihty l/poly(log5'). (The gcd(fc,^) — 1 condition is obtained with 
inverse polynomial probability by the prime number theorem). From c and d we want to extract 
the information of k. To do this we use properties of continued fractions: we show that k/l is a 
convergent of the continued fraction of c/d, which then gives fc as a numerator of a convergent. We 
use the following basic property of continued fractions (cf. theorem 184 of |S]): If a, 6 G N and 
— || < ^ then a/b is a convergent of the continued fraction of x. By lemma |2 below (which 
requires q > 35^) we have 

c k 
d^l 



1 



giving the required result. 

Recall that c = [kq/S~\. Then for each convergent Cn/dn of the continued fraction of c/d we 
check ii Cn — k by computing m = [c„g/c] and using (c) (from the statement of the theorem) to 
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check if it is within 1 of an integer niuhiple of S or not. Then we output the smallest such m that 
is within 1 of an integer multiple of S (and with probability l/poly(log5') this multiple is 1). The 
various rounding processes stay within the required accuracy because if c = \_kq/ S~\ and q > 3S^ 
then IS" - [kq/c] \ < 1. (To see this write c = kq/S + e with |e| < 1/2. Then 



kq 

c 



S 



S 



1 



kq 



1 + a 



where |a| < 1/(65') for q > 3S^. Thus kq/c ^S- Sa/{1 + a) and \Sa/{l + a)\ < 1/2.) 

The result of the whole process above is to output an integer m such that |5 — m| < 1 with 
probability l/poly(log S*). ■ 



Lemma 2 If q > then 



c k 



< 



2P 



with k, I, c, d 



eg. 



Proof Let c = kq/S + €k and d — Iq/S + e; with |efc| and |e;| both < 1/2 and wlog take k < I < S. 
Then 



c k 




S{ekl - eik) 


< 


d^l 




Pq + eiSl 





3(1 + k) 



2Pq-2Sl/2 



< 



S 



Iq - 5/2 



where in the second last inequality we have used the worst case = 1/2 and e; 
note that 

5 J_ 

Iq - 5/2 - 2P 

holds if g > 2/5 + 5/(20 so g > 35^ suffices (as / < 5). ■ 



-1/2. Finally 



Lemma 3 Let \A\ < 1/2 and let ^{l) be any function satisfying \£,(J,)\ < l/n with n ~ O(logp). 
Then there is a constant c such that for all sufficiently large p: 



X ^ 



p-i 

e 

1=0 



■i+m) 



> 



cp 



Proof View bi = exp2TTi{Al/p + ^{l)) as points on the unit circle, being ^(/)-perturbations of the 
evenly spaced points c; = exp 2iTiAl/p for I = 0, . . . ,p — 1 which range over a fraction \A\ < 1/2 of 
the whole circle. 

Introduce x, y axes so that the ci points are mirror symmetric in the y axis with the negative 
y axis bisecting the unused part of the circle. For all sufficiently large p it is clear that the total y 
component of ^ 5/, for any perturbation with ^(/) < l/n, is positive (since most points will lie in the 
half circle having y > 0). We claim that the smallest value of X (over all possible perturbations) will 
occur when £^{l) = l/n for all points cj having x < and ^{l) = —l/n for all points having a; > i.e. 
^(/) rotates points away from the positive y axis, down towards the negative y axis, symmetrically 
on the two sides of the y axis. This perturbation maintains zero total x component (by symmetry) 
and hence has the least squared total x component of all perturbations, and for each point we get 
the least possible positive, or most negative y component amongst all perturbations. Hence the total 
y component (always being positive) must attain its least possible value and so we have the least 
possible X amongst all perturbations. 

To obtain a lower bound on X for this minimal perturbation note that since \ A\ < 1/2, negative 
y values can occur (if at all) only in the arc of the circle of fraction 1 /n below the ±x axes, which are 
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counterbalanced by positive values in the corresponding arcs above the ±x axes. Hence all points 
in the arc (27r/n, tt — 27r/n) will contribute uncancelled positive y values so in particular 

X > [number of points in arc (7r/4, 37r/4)]^ • [y component at angle 7r/4)]^. 

Since |^| < 1/2 the number of points in (7r/4, 37r/4) is at least p/3 (actually it's only slightly less 
than p/2 for large n) and the y component at 7r/4 is l/-\/2 so X > (p^/9)(l/2) = for all 

sufficiently large p. ■ 

Finally we can apply theorem|Slto hj^ of proposition l3t)l having S — NR to get an integer m with 
\NR — m| < 1 i.e. the value of i? to a tolerance of 1/iV. The validity of theorem|Hls requirement (c) 
in this case can be seen as follows. 

Given an integer m , to test if \jR — m| < 1 or not, for some j € Z, we first compute /„, the 
ideal closest to m on the left (which can be done in poly(logTO, logd) time (cf. theorem [SJ. Let 
Im be Jig in the principal cycle. Now \jR — m| < 1 for some j iff the ideal O (in the repeating 
periodic pattern of reduced ideals placed along R) is located at distance < 1 from to. Recall also 
that S{Ji, Ji+2) > ln2 and 21n2 > 1. Hence if we look at the ideals Jio-4, Jio~3, ■ ■ ■ , JiB+4 (which 
can be efficiently constructed by applying p and p^^ to /.,„, up to four times) we will be able to see 
if O lies within distance 1 of m. 

Putting all this together we have proved: 

Theorem 7 Given a square-free integer d Cz N there is a quantum algorithm that will output the 
regulator R of Q[Vd] to accuracy 10~" with running time poly(log(i, n) and success probability 
l/poly(logc?, n), so long as 10~" is sufficiently small: 10~" < c?mm/ log d. 

In view of proposition 12 to get R to accuracy 10~" it suffices to use the quantum algorithm in 
theorem El with a fixed (suitably large) value uq of n so the success probability to get accuracy 10~" 
becomes l/poly(log(i) but (as expected) the running time remains poly(log d, n). 

11 Further Remarks 

Hallgren's algorithm computes the regulator of in poly log d time. The tenacious reader may 

wish to estimate the degree of the polynomial running time by assessing all the ingredients that we 
have described in detail. 

It is interesting to compare the computational complexity of the task REG - computing the 
regulator of Q[-\/d] - to that of the task FAC - factoring a given integer d (especially as the latter 
also admits an efficient quantum algorithm viz. Shor's algorithm). Write n = logd. The best 
classical algorithms for FAC and REG are sub-exponential but super-polynomial, with running 
times exp(0(n^/'^)) and exp(0(n^/^)) respectively. Thus REG is the harder task and indeed there is 
a known reduction of FAC to REG (i.e. an algorithm for REG can be used to achieve FAC with the 
same time complexity). However it is significant to note that the sub-exponential algorithms |7] (§8) 
for REG depend on the truth of a suitable generalised Riemann hypothesis (GRH) associated with 
zeta functions on the quadratic number field. Without this assumption the best algorithm for REG 
has exponential running time 0(^1/") (in fact using the same mathematical formalism of reduced 
ideals that we presented). Furthermore FAC is in NPQco — NP whereas REG is known to be in 
NP only under the assumption that GRH is true. 

Finally we mention that in addition to solving Pell's equation, Hallgren's algorithm may be 
readily adapted to give efficient solutions of two further fundamental problems of computational 
algebraic number theory (cf. 0): the principal ideal problem and the computation of the so-called 
class group of Q[-\/d] (and its size, the class number). We refer the reader to Hallgren's paper ^ 
for a description of these further applications and here we only make a few brief remarks about the 
statement of these problems. 
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For the usual integers Z C Q all ideals are principal ideals. However in the more general setting 
of the algebraic integers O in the quadratic number field Q[-\/d] this is no longer true i.e. there exist 
ideals of O which are not of the form aO. However proposition II II remains true: any ideal has the 
form I = aZ + /3Z (for suitable a, P € Q[Vd] which are restricted by the requirement that / be closed 
under multiplication by O). The principal ideal problem is then: given an ideal as / = aZ + f3Z 
determine whether it is a principal ideal (and if it is, compute a generator 7 such that / = "fO). 

The class group of Q[\/d] provides a measure of how much the ideals of O can deviate from being 
principal. An ideal / is called invertible if there exists an ideal J such that I ■ J = O (using the 
product of ideals introduced in section mi) . Clearly all principal ideals are invertible (as the inverse 
of aO is iO) and the set Jinv of all invertible ideals is an abelian group under multiplication of 
ideals (with O being the identity). The subset V of all principal ideals is a subgroup and the class 
group C is defined to be the quotient C = Xinv/'P- Now it can be shown that C is always a finite 
abelian group (cf. (3) and the class group problem is to compute a set of generators of C and to 
compute the size of C . 

Much of the theory of reduced ideals that we developed for principal ideals can be readily extended 
to general ideals providing a tool for attacking these problems too. Furthermore there is a way of 
representing ideals in terms of binary quadratic forms on Z. Roughly speaking, the ideal Z+ ^^^J^ l 
is represented by the form ax^ + hxy + cy^ where D = — Aac and x,y £ Z, and we can develop 
a corresponding theory of reduced forms. (See P] for an exposition of the correspondence between 
ideals and quadratic forms). Gauss devoted much effort to the class group problem when formulated 
in these terms, before the introduction of the concept of ideals by E. Kummer in 1847. 
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